We have two ASA'S. One on Site A (asa 5510) and one on Site B (ASA 5505).
I have a VPN Site to Site tunnel connecting both sites which is working away fine. Users on the remote site can access servers here on Site A.
My problem is that from Site A I am unable to ping any PC's on Site B or RDP to them. It is essential for our IT Helpdesk to be able to RDP to these machines.
Our internal network on Site A has a 10.255.0.0 255.255.0.0 range. And the remote network has a 192.168.1.0 255.255.255.0 range.
I will upload both configs and maybe someone can shed some light as to why I cant ping or RDP to the remote machines.
On site B, please remove the following line:
nat (outside) 0 access-list outside_nat0_outbound
And perform "clear xlate" after removing the above.
On site B, please also add the following:
Hope that helps.
When I say
no nat (outside) 0 access-list outside_nat0_outbound I get the following error
ERROR: access-list outside_nat0_outbound not bound nat 0
Strange, because that statement is in your configuration on site B.
What does the output "sh run nat" show you?
If it's not showing that particular line, try "clear xlate" and see if you can RDP or ping to site B.
You might also want to check if "windows firewall" or other PC's firewall is turned on because sometimes they block incoming ping/connection.
Are you able to ping 192.168.1.1 from site A?
This is what I have when I run sh nat
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
Actually when I ping 192.168.1.1 I do get replies, I hadn't tried that until now.
If I try to ping a PC called sph-comp-164 IP 192.168.1.21 ono Site B I get Request Timed Out.
All PC's on that end have firewalls disabled.
If you are on ASDM, please enable it through the following:
Configuration --> Firewall --> Service Policy Rules --> highlight and edit the "inspection_default" rule --> go to "Rule Actions" tab --> enable "ICMP" --> OK --> Apply
What ip address does 18.104.22.168 belong to?
Does 192.168.1.21 actually respond to ping?
If you go to command line, and run "debug icmp trace" and ping, what are you seeing?
Also can you pls run "sh run all sysopt" and share the output.
That IP Address belongs to an external email hosting company that we use and they come through the ASA on site A. I blanked that out of Site A's config. Just not sure why it is appearing on SITE B's ASA.
When I ping 192.168.1.21 I simply get request timed out.
Here is the result from sysopt.
Unfort the ASDM wont allow me run debug commands from it.
As far as configuration on site B is concern, it seems to be correct.
You might want to try pinging other ip addresses in the 192.168.1.x subnet. If you can ping the ASA inside interface 192.168.1.1 that means the crypto configuration is correct and the ping actually does come from site A towards site B.
Seems to be something local to your LAN subnet.
If you have a switch with SVI on the 192.168.1.x subnet, try to ping that and see if it works. Normally network device like switch or router replies to ping if no access-list is blocking it.